ICO Fines Businesses Over Data Protection Fee

ICO issues the first fines to organisations that have not paid the data protection fee

The UK Information Commissioner’s Office (ICO) has fined more than 100 organisations for failing to pay the annual data protection fee. Organisations across the business services, construction and finance sectors are among the first to be fined.

Since September this year, the ICO has issued more than 900 notices of intent to fine organisations for non-payment of the data protection fee.

The notices serve as a final demand to organisations. Those that fail to pay can expect to receive a formal letter from the ICO outlining enforcement action.

Fines range from £400 to £4,000 depending on the size and turnover of the organisation. The ICO can levy a maximum fine of £4,350 if organisations fail to pay their data protection fees and aggravating factors apply.

Who must pay the data protection fee?
From 25 May 2018, all individuals, companies and organisations that process personal data or are responsible for how personal data is handled need to pay a data protection fee to the ICO, unless they are exempt.

A rate of £40 for micro organisations, £60 for small and medium organisations, and £2,900 for large organisations applies.

Exemptions apply to certain types of data processing. For example, you may be exempt if you process personal data only for one or more of the following reasons:

staff administration

advertising, marketing and public relations

accounts and records

not -for -profit purposes

personal, family or household affairs

maintaining a public register

judicial functions

processing personal data without an automated system such as a computer

Organisations that have a current registration (or notification) under the 1998 Data Protection Act – prior to 25 May 2018 – do not have to pay the new fee until that registration has expired. You can check if your fee is due for renewal here.